A number of health care providers that attested to Meaningful Use for Stage 1 have received a letter from an Figloiozzi and Company, acting as CMS's auditor for the EHR Incentive Program (the "Program" or "Meaningful Use Program"), requesting certain records related to the attestation. CMS has not, as of this writing, made any announcement of this audit initiative or of the engagement of Figloiozzi and Company. While it is always good policy to confirm the identity and authority of any entity claiming a right to review or audit records, these letters are legitimate. Citing its statutory authority under the American Recovery and Reinvestment Act (ARRA), and without any fanfare, CMS has begun to audit the attestation materials.

The letters from Figloiozzi and Company, as the Department of Health and Human Services (HHS) Secretary's designee, request four categories of information:

Audited entities are asked to produce a copy of their certification from the HHS Office of the National Coordinator for Health Information Technology for the technology they used to meet Program requirements. Presumably, this documentation will be used to demonstrate that the entity "possesses" a certified Electric Health Record technology system as required under Program rules.

Audited entities are asked to provide documentation to support the method (observation services or all emergency department visits) they chose to report emergency department admissions. This distinction plays a large role in several of the Program requirements as it determines which patients were included in the denominators of certain meaningful use core and menu items.

Audited entities are asked to supply supporting documentation with regard to their completion of the attestation module responses as to core set objectives and measures. While the audit letter's request is not specific, it would appear that this request is intended to solicit information beyond that already provided to CMS as part of the attestation process. A hospital might consider, for instance, producing reports substantiating the encounters that gave rise to the calculation relied upon to successfully attest. Such reports should be deidentified.

Audited entities are asked to supply supporting documentation with regard to their completion of the attestation module responses as to "menu set" or voluntary, objectives and measures. Again, the information request appears to solicit a level of information beyond that provided in the attestation documents themselves.

Based on questions from recipients, an amended version of the audit letter has been sent out, adding "(i.e., a report from your EHR system that ties to your attestation)" to the latter two categories of requested documentation. This clarifies that the audit letters seek additional detailed information but are not, at this time, requesting identifiable or detailed patient records.

The audit letters do not provide audited entities much time to respond – a short, two-week response time is specified. Unfortunately, it is also unclear how audit candidates are selected, so hospitals and professionals will not be able to "plan ahead" for an audit they can be certain is coming.

Ober|Kaler's Comments

Audits are always nerve wracking, but these letters do not appear to be the type of specific, targeted, detailed investigation that can give rise to significant operational interruptions and expense. Rather, these audits, based on the initial letters and the request for information typically stored in the EHR system, appear to promise a very basic desk audit. It seems likely that the results of these broad, basic audits will be used by CMS as the basis for further audits under subsequent initiatives at a later date.

It is important to note that while the audit letters state that information submitted will be confidential, they do not specifically request identifiable patient health information or other, similar PHI. Audited providers should be careful to ensure that they do not simply "throw the kitchen sink" at Figloiozzi and Company and, in the process, provide unnecessary and unrequested PHI. As always, entities should provide the "minimum necessary" information requested.